Hacker Newsnew | comments | ask | jobs | submit | npsimons's commentslogin

Someone realized this a long time ago, and the Linux kernel is already being audited and tested, with regression tests, etc (see the Linux Testing Project). OpenSSH is also generally well regarded because of the same scrutiny.

Someone else made the comment that security can't be an afterthought, so PHP will probably never be auditable, and most people agree it should be dropped in favor of more robust technologies anyway.


It's somewhat understandable; OpenSSL is a bit of a mess, and the two most recent occurrences have made me seriously think about learning more crypto in order to write a replacement, ala DJB (cf sendmail/qmail, bind/tinydns). Of course, while I think I wouldn't make any buffer overflow errors (I've got tools and training for that), I'm fairly certain I wouldn't get the crypto right the first time, and probably not the second either . . .

That being said, I too get annoyed at a few misguided POVs:

1) "Open source sucks!" - This bug would probably never been found, and even less likely would it have been fixed had OpenSSL been closed source.

2) "C sucks!" - OpenSSL would not be so widely used if it was written in another less portable, less efficient language, and besides, bad code can be written in any language.


mst 4 days ago | link

I'd be fascinated to see what the results would be if the problem was tackled by somebody who was both capable of getting the crypto right, and willing to use DJB's substdio or any of the various equivalents.


grosskur 4 days ago | link

DJB already wrote his own crypto library, NaCL:


It's been packaged up as libsodium:


That said, even DJB doesn't trust himself to write bug-free C code:



Customers are idiots. To wit:

"If I had asked people what they wanted, they would have said faster horses." -- Henry Ford


taiki 7 days ago | link

Customers aren't always idiots. However, there's a special kind of engineering idiocy that thinks that having a humidity sensor in a phone is a great idea.


Google+ appears to do the same thing with C-PgUp and C-PgDown; if I had wanted those keys to stop working properly, I would have used some ass-backwards browser like IE. If I've got a Google+ post open and I'm scrolling brisking through tabs, it's like hitting a brick wall.


Yes, it's called NoScript.


blueskin_ 7 days ago | link

Too many crappy javascript-mandatory websites for that to work all the time, sadly.


I’m talking to you, Blogger.

Is this the same Blogger that requires JavaScript to view plain text? Or maybe I'm getting it confused with blogspot, I can never keep them all straight. In any case, I don't think it's a coincidence . . .


If someone donates money to support a bill to make it illegal for straight people to marry, then the comparison might be justified. Until then, equating a private, in-born sexual preference (or opinions of such) with attempting to enshrine bigotry in the law is really stretching things.


I think that this case is doing a lot of bad to the cause of gay rights

Indeed; if one were of a more conspiratorial bent, they might be inclined to think that's the exact purpose of this whole farce.


It's been said before[1] and I'll say it again: some things aren't worth your full reading attention. Heck, even if they were, you don't have enough time to read everything[2].

That being said, I am a little worried that people (at least myself) aren't getting as "deep" into topics as they might have used to. I try to solve this by (very carefully!) picking books that I can slowly digest, over multiple readings. If nothing else, just reading them at the inspectional and superficial levels can help me decide whether I need to go back for more.

[1] - See "How to Read a Book"

[2] - https://what-if.xkcd.com/76/


People are more than free to express any opinion they have, including the opinion that bigoted discriminating opinions are wrong, and don't really fit the ideals of an organization such as Mozilla.



Lists | RSS | Bookmarklet | Guidelines | FAQ | DMCA | News News | Feature Requests | Bugs | Y Combinator | Apply | Library